I am burning my way through CEH self study and I am going to test in a few weeks. I wanted to know if it would be worth my while to also go back for GCIH. GCIH was my first pick for my next certification, but due to department budget issues not being resolved, I went with my second choice. Is there a lot of overlap in CEH and GCIH? I've been told that GCIH focuses more on defense and incident response, where CEH is more of attack (which is what I am finding).

GCIH is primarily focused on Incident Handling which is a solid subject to focus on, although you may be better off focusing on GPEN (Network pentesting) and GWAPT (Web Application Pentesting) which is more of what you're looking for.

Now of course most of these tracks assume little to no security to pull these off so I would also suggest strong familiarity with security infrastructure that supercedes a simply firewall and IPS. As part of PCI compliance now (since 7/08), it requires a web app firewall to address top 10 owasp vulnerabilities which can also focus on web services security. Plus there's endpoint security, network admission control for posture assessment, email & web content filtering, network security management (event correlation & mitigation), and more. Many networks are bound to have at least one of these, if not more.

I would def go with GCIH. In my opinion, as well as my bosses, GCIH is more marketable to employers. Incident Handling is a valuable skill to have, especially in these times. As a plus you also get the hacker exploits and techniques part which preps you for offensive security and pentesting if that's what you are looking to do.

There are about three reviews below your topic in the forums reviewing GCIH and I also recommended reading here:

Also i tend to tell students to look into getting the Certified Network Defense Architect if they will be consulting gov or state agencies. Same test as the CEH, different name. State/gov offices don't like the word "hacker" in anyone's title, the exam code for that CNDA is 312-99 and you have to email EC to get to take it.

I would just say that there is no comparison between the 2 courses. The focus of both certs is totally opposite. CeH focuses mostly on the offensive security mostly on attack tools while GCIH focuses on Defesnive and Incident Respones.

Though there might be some overlap of what is coverd in both, the focus is totally opposite.

It all depends on what your job requirement is to choose one over the other.

Jhaddix wrote:Also i tend to tell students to look into getting the Certified Network Defense Architect if they will be consulting gov or state agencies. Same test as the CEH, different name. State/gov offices don't like the word "hacker" in anyone's title, the exam code for that CNDA is 312-99 and you have to email EC to get to take it.

Alternatively, once you have earned CEH you can pay a $50 (last I checked) fee to receive CNDA (and I'm sure there's some sort of application/paperwork that goes along with it).

Thank you all for the information regarding GCIH. My team is moving towards a security operations center (CIRT level 1) role and I think once I self study I can get my manager to pop for the cheapest SANS training option.

Thanks for the link to the CNDA application. I may be able to swing it, as long as their interpretation of US Govt. Agency is loose. I work for a big company who is good friends with the government and I have enough ties to an agency/program to be able to keep "secrets".

unsupported wrote:Does anyone have experience with converting a CEH to CNDA?

I don't have any personal experience with it.

You could try shooting an email to info@eccouncil.org with your questions. If you don't get a reply in a suitable amount of time (or don't get a good answer), let me know and I'll see what I can find out for you.

If GCIH is your first choice then it sounds you are looking to go down the incident handler path. If that is the case then the CEH won't really help you achieve your goal, however, it is isn't a bad supplement. If you know more about the potential ways an intruder will be getting it to your network then that always helps in incident response. It won't help with the detection and eradication portions of IH, but it never hurts to keep learning.

If you are looking to go down the offensive path then I would recommend the GPEN from SANS. The SANS class does a good job explaining attacks and also includes valuable sections for reporting your findings to the client which is not included in the CEH. If you can effectively communicate, classify, and prioritize your findings to the client then the it doesn't matter how good the attack was. At the end of the day there has to be value for the client.

GCIH was my first choice, but I took CEH because my departmental budget was not finalized. I am really enjoying the CEH material and look forward to GCIH. I missed out on the Orlando SANS, but maybe my manager will shell out the cash for the at home training. Especially since I would be using my own time, but the companies money. When sending someone to training they weight the costs of the actual course and how much the employee makes that week.

Once I am done with CEH, I'll take a low approach with Counter Hack Reloaded.